From nobody Sun Feb 8 22:07:57 2026 Received: from mail-ed1-f45.google.com (mail-ed1-f45.google.com [209.85.208.45]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AA9843168EA for ; Thu, 25 Dec 2025 09:19:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.208.45 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766654371; cv=none; b=lUgi26zF30bEPxhJQe0SHgktZ70w5ypkgb8o4NipgeDvqW0damkoFtt1vZ7TBw6aG1kqxAzBwQJq4h4s85D5IRB5OrLOpw4Pjiy8Yovy9MZVosL3s0oVK9aYusTXL7KkTH0aQX7e7ghQH4DBrrAKGdUMi/uKcCaIDbVPG1tLpnI= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1766654371; c=relaxed/simple; bh=CgRcdEBiqDFzFR1DVBuJW/uYXCOWI9kW134p04jPezM=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=KdZGrhsuPXL8U9+cp5E+FDuYoAKjzQeXEcODYkyzfx75kHdDi5ZUanvhsNv8wLntHvKe/P6scUxxnOwYmTYUqDlQbJUKjjdOz1w9yQ1yzLRsC9z5lecnTWSBjUsOKXhn6g+y10YXNRu7PnypuKkxJ05sajQowkkEq6h3IRB/5eU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=dR60T/4C; arc=none smtp.client-ip=209.85.208.45 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="dR60T/4C" Received: by mail-ed1-f45.google.com with SMTP id 4fb4d7f45d1cf-64b4f730a02so10607745a12.0 for ; Thu, 25 Dec 2025 01:19:29 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1766654368; x=1767259168; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+ukH8iyz+dWZCGVJbnwfUac+lLzJbX1fzUN62SEN4Cw=; b=dR60T/4Cp8ssCiVCOuRTmJj2zHP9sKBqozHeomqzkh7vnXFydRYmpCsr1W9SkM5Hrt WgGiy/ORoyF+KtnGJ0Q25/nVXp1hznaX1OlrtKKKuV2Q0Dzk2yXOAijzluIpszSaxaYO vX+iW7gV1qJZl+w3OuYZZCTpUUFiAhrbePAAiVOhUKBcO8sYI2OvzwQjv9eHvlFFTV1U o7uZImBkrmAXiXrDygLPT19BXCKYEq8KRJlJI51hv8OrvddxtCPJsx6/QrtSW/andAP0 UT3jDkqRVvpJrE2N+MjL9DsgrzUqoD87Rw6GLlZPAo/qDYqRHA+FfIFW+bLsp+EgSyGG 6lLw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1766654368; x=1767259168; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from :to:cc:subject:date:message-id:reply-to; bh=+ukH8iyz+dWZCGVJbnwfUac+lLzJbX1fzUN62SEN4Cw=; b=vJabi4u/y1njemAYQewth24DDsNxgOAe+y1Kxaffle7AjIq9d0Bd33B18AP4Q1lOeD AhEIipgRuMj/UV2HDlgWIkmVcW4+w+DPq1BHreH9GB7bU8VD0Q/mtd0APbut3F9wg+BW Cop5rU9MFMTM5ExDekimfeKJ3midTBmyItnYdd5LvoyLFc9dWi1lsE7RSSJf6Bmx123u D3uDgmPT9ChOMpbvympRR5+KdxtLt0B2e81VPjkJ6tBPm9MyZx92D0CMrHXdD+NOEwiA OdJWdwnw81c3pEQmLjsRoOOVbZFOzYQeI0bYYxmbMdIvwxqP2daLmSmpBP2jiG83QCKV T3dA== X-Forwarded-Encrypted: i=1; AJvYcCULWwRUnsPEy2XjSYhajTa9XQPcAikV7tKMEh35I7/ROKYlbG3FOn/NobGn93jyRWXipgGWNvjjxJsBBf4=@vger.kernel.org X-Gm-Message-State: AOJu0YyZsbfTqNq9pIhQdKRiFWcWgkb9Cj8nrM04gghqPW9sJ6LE2QP6 tPvkCgeW6isUyDYxQQu+CmVZfrqrSClQQfvoTVQcspOk6Ri3lIsQ9JlkRFUk7g== X-Gm-Gg: AY/fxX75oTYNvEUlrwOtKdHG3l5SxrtPGkdW6gEd6w7kIcn2F23fV2bEZEUotTq8yK6 LH0+zw/bvZpkIXMEDFk46Aq4QLgt7FXhilrdcMoHv+FwIHbJfGVWYzhIhxgKB0dz+waDDtD4OzT ScyAkJ4PiwqsC3cwYWf0nWTxp88upJLeVpiykfSlJHJZvtHOZylbjPKqULU8jFsQigR+snhujDh amZ6voOskCnOXy4bUJx3DZcuJb3zGyKK2twbLkvspIEl/FJaTG9maWQz+JCVA1aMhV9zB1QoWVn h3McZDR8FyJA07JtNd136xijP+N7i9B5BEPzCGTs6yxGYRivHQQELa325agLsZ3t6Oua3U0ysEb ONZH754DjFk0kMqwwE2AuTpHewOYqtIIB++L5chMkuNk6CY7dwRd76Et5TuE6qDgJYq+GQ5cdZP k8vDK+2uUUoxj88A== X-Google-Smtp-Source: AGHT+IHjIV0ldku1ElyQq0/8RBbxwKcIKEUIwvsePPpVM0/Px1jfR+ImplEIsuNkdOirk9GMkdpuyA== X-Received: by 2002:a17:907:86a4:b0:b7a:6eed:b590 with SMTP id a640c23a62f3a-b8036f2d024mr2168100566b.25.1766654367664; Thu, 25 Dec 2025 01:19:27 -0800 (PST) Received: from prometheus ([85.11.110.37]) by smtp.gmail.com with ESMTPSA id a640c23a62f3a-b8037ddffc7sm2033173366b.43.2025.12.25.01.19.27 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 25 Dec 2025 01:19:27 -0800 (PST) From: Szymon Wilczek To: Marcel Holtmann , Luiz Augusto von Dentz Cc: linux-bluetooth@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com, Szymon Wilczek Subject: [PATCH v2] Bluetooth: vhci: Fix slab-use-after-free by cloning skb Date: Thu, 25 Dec 2025 10:19:21 +0100 Message-ID: <20251225091921.14860-1-swilczek.lx@gmail.com> X-Mailer: git-send-email 2.52.0 In-Reply-To: <20251224235407.46333-1-swilczek.lx@gmail.com> References: <20251224235407.46333-1-swilczek.lx@gmail.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" Hillf Danton pointed out that the root cause of the UAF issue is the lack of isolation between hci_core and vhci driver consumers. vhci_send_frame() modifies the skb (via skb_push) and queues the original skb to the readq for userspace consumption. This means the hci_core caller sees a modified skb (corrupted headers/data pointer) if it retains any reference. Furthermore, if vhci_read() frees the skb immediately, hci_core might hit a Use-After-Free. Other drivers (like btusb) create a new URB and context, isolating the skb lifetime. Fix this by cloning the skb in vhci_send_frame() before queueing. The clone is modified and queued. The original skb is freed immediately, satisfying the HCI driver contract to consume the skb while ensuring the queued object is distinct from the one passed by hci_core. Reported-by: syzbot+4d6b203d625d2f57d4ca@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3D4d6b203d625d2f57d4ca Signed-off-by: Szymon Wilczek --- drivers/bluetooth/hci_vhci.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/drivers/bluetooth/hci_vhci.c b/drivers/bluetooth/hci_vhci.c index 2fef08254d78..f2901a4b5b3a 100644 --- a/drivers/bluetooth/hci_vhci.c +++ b/drivers/bluetooth/hci_vhci.c @@ -74,13 +74,20 @@ static int vhci_flush(struct hci_dev *hdev) static int vhci_send_frame(struct hci_dev *hdev, struct sk_buff *skb) { struct vhci_data *data =3D hci_get_drvdata(hdev); + struct sk_buff *nskb; =20 - memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1); + nskb =3D skb_clone(skb, GFP_ATOMIC); + if (!nskb) + return -ENOMEM; + + memcpy(skb_push(nskb, 1), &hci_skb_pkt_type(skb), 1); =20 - skb_queue_tail(&data->readq, skb); + skb_queue_tail(&data->readq, nskb); =20 if (atomic_read(&data->initialized)) wake_up_interruptible(&data->read_wait); + + kfree_skb(skb); return 0; } =20 --=20 2.52.0